Feeds

Security muddle better than FUDdle

Meanwhile, in the real world...

  • alert
  • submit to reddit

SANS - Survey on application security programs

Whether it's a student slipping contraband past airport metal detectors, or a researcher modeling an unstoppable computer virus - demonstrations just don't do justice to the real state of security, writes SecurityFocus columnist George Smith.

Look at a photo of Nathaniel Heatwole, the student who performed pro bono security testing on Southwest Airlines. Neat and freshly-scrubbed, he's a good fellow at Guilford College, the winner of a cash award for ham radio broadcasters -- a white-hat hacker trying to make air travel safer.

Not only did Heatwole push box-cutters and other items symbolically meant to appear menacing through airport security, he also showed that the sharing of information isn't so hot. Heatwole warned the Transportation Security Administration about his work in e-mail. The TSA, however, receives 5,700 e-mails a day. In the electronic blizzard, the notification was missed for weeks.

This play has repeated itself in every aspect of physical and electronic security for as long as I've written about the subject. Anyone who has followed the public history of computer intrusion will find the Heatwole case reminiscent of things they have either had to deal with personally or learned of through schooling and the media.

Sending Heatwole to trial is a waste of time. No one was threatened or put in danger, and even the agency that received the black eye, the TSA, didn't have its leaders or employees personally singled out for embarrassment. There was no inconvenience or economic loss. Heatwole has even been reticent with the media, so even if an aim was to be showy, he's been low-key about it.

However, do such things improve security?

After years of thinking about the subject and witnessing similar cases weekly, my gut feeling is they don't. Despite good intent, and even with attention paid, Heatwole will not make security better on the airlines. There are too many carry-on bags to screen with the degree of discernment required to catch everything, and the airlines won't have any customers if they're required to strip search them or nail the bathrooms shut on all flights.

In parallel, it's my hunch that the nation is saturated with news and alarms about security. From gaffes at the national labs, to the Government Accounting Office's stream of reports on poor computer security in various agencies, to Bret McDanel who warned co-workers at his former employer that their e-mail was compromised and had to spend sixteen months in prison before justice finally realized he had done no wrong, the word is always present. Security is too porous, people are screwing up, procedures are rotten, problems are going to be exploited and the house of cards is destined to collapse.

Maybe it's all true.

However, in the rush to publicize that which must be fixed right away the story poorly told is that the infrastructure is managed and kept stable by a just-in-time come-as-you-are workforce. And as a practice -- even though this looks wobbly -- globally and over time, it works.

In the past, I've called this laissez faire computer security, but that's not entirely accurate. It doesn't give nearly enough credit to the people who daily keep their bailiwicks running, clean up after the mistakes of others and work collegially across borders to put out whatever electronic fire must be put out.

Such tenacity and resilience cannot be measured in government reports, although the cost of their overtime labor is always said to be crippling during computer virus outbreaks or surges in the emergency application of serial Microsoft patches. One could just as well discount such alleged expense with the argument that the people are always engaged in productive work, and that we'd see the real cost of network insecurities only if the entire fix-it crew were to permanently disappear all at once.

And the Nathaniel Heatwoles of security, while doing their spot test things, cannot give us an idea about the survivability of a system that during crisis is critically dependent upon people. There's an obvious difference between the galvanizing effect of hiding boxcutters in the bathroom and actually coming out of the watercloset brandishing them. Similarly, describing how a virus can evade anti-virus updates and circle the globe in a flash doesn't really describe its fight vs. people-with-networks and the probable outcome as it transpires.

The challenge to security men and women is to separate being part of a process that is ostensibly about security, but without hope of bettering it, from the thankless work of combining ingenuity with the networked world's equivalents of spit and bailing wire. Should you be a showman if you think no one is paying attention? How effective is sowing suspicion and fear of things to come as a security tool? Or is getting pretty good at just gettin' by fine?

Whatever the answer over the next few years, it'll have to do.

Copyright © SecurityFocus

George Smith is a Senior Fellow at GlobalSecurity.org, a defense affairs think tank and public information group. He also edits the Crypt Newsletter and has written extensively on viruses, the genesis of techno-legends and the impact of both on society.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.